๐Ÿ›ก๏ธ IAM Role Agent

Least-privilege role recommendations for over-privileged GCP identities

1 Authenticate & find projects

Run gcloud auth print-access-token and paste it here. Used only for this session โ€” never stored or logged.

Discovery is limited to Roche RCP & ECF (gcp-* / gcp-ent-*) and RSC / science (PRJ-RSC-*) projects. Type any part of a project id or name to narrow the list โ€” required if your account can see many projects.

How do I get an access token?

The token is a short-lived (~1 hour) OAuth credential tied to your own Google identity โ€” the app acts strictly as you (RBAC), so you only ever see projects you already have access to.

  1. Install the Google Cloud CLI if you don't have it: cloud.google.com/sdk/docs/install
  2. Authenticate once:
    gcloud auth login
  3. Print a token and paste it above:
    gcloud auth print-access-token

Prerequisites

  • You need resourcemanager.projects.get / getIamPolicy on the projects you want to inspect (Viewer is enough).
  • Analysis (Step 3) reads the IAM Recommender, which needs recommender.googleapis.com enabled on the selected project.

References: print-access-token ยท Resource Manager

2 Select a project

Looks for principals holding a blacklisted role on the selected project โ€” this includes the primitive owner / editor / viewer roles plus other over-privileged admin roles from the Roche blacklist.

3 Select a member to analyze

โณ This can take up to a minute โ€” the analysis runs the member's permissions through the Galileo AI Gateway (Claude Opus). Please wait after clicking; don't refresh.

โœ… Recommended roles

๐Ÿ“‹ What to do with this

This is a recommendation โ€” the app does not change any IAM. Apply it by granting these predefined roles to on project and removing its current over-privileged role(s) (the blacklisted / primitive role it holds), so the member ends up with least privilege.

RSC users (before migrating to RCP): if you still have IAM permissions on the project, apply it yourself now โ€” after migration to RCP you will no longer be able to manage IAM directly.

On RCP: you can't change IAM directly โ€” copy the roles above and open an RCP Generic Request in ICARE, pasting the roles and asking the RCP team to grant them and remove the over-privileged one.